Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint GET /internal/transcripts/{meeting_id} that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.
AnalysisAI
Unauthenticated access to meeting transcripts in Vexa transcription-collector service versions before 0.10.0-260419-1910 allows remote attackers to retrieve sensitive business conversations, credentials, and personally identifiable information. The service exposes an internal endpoint without authentication, enabling enumeration of meeting IDs and bulk extraction of confidential data. No public exploit identified at time of analysis, but exploitation requires only standard HTTP requests with no special conditions (CVSS AV:N/AC:L/PR:N/UI:N).
Technical ContextAI
Vexa is an open-source, self-hostable meeting bot and transcription API platform. The vulnerability exists in the transcription-collector service component, which provides a REST API endpoint GET /internal/transcripts/{meeting_id}. This endpoint was intended for internal service-to-service communication but was inadvertently exposed to external networks without implementing authentication or authorization middleware. The root cause is CWE-306 (Missing Authentication for Critical Function), a design flaw where a security-sensitive function lacks any credential verification before processing requests. The 'internal' path prefix suggests architectural confusion between internal and external API boundaries, with insufficient network segmentation or access control enforcement at the application layer.
RemediationAI
Upgrade immediately to Vexa version 0.10.0-260419-1910 or later, which implements proper authentication for the internal transcripts endpoint per the vendor security advisory at https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh. For environments unable to upgrade immediately, implement network-level access controls by restricting the transcription-collector service to trusted internal networks only-block external access to the service port via firewall rules or place the service behind a reverse proxy with authentication. Note this workaround requires careful network architecture review to identify all paths to the service (load balancers, service mesh, direct container access). Alternative mitigation: deploy the transcription-collector service on an isolated network segment accessible only to authenticated Vexa components via mutual TLS, though this requires significant infrastructure changes and may break existing integrations that rely on unauthenticated access. Validate patch effectiveness by confirming the /internal/transcripts endpoint returns 401/403 status codes without valid credentials.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23887